Kortan, Michael P. (DO) (FBI) 


From: Kortan, Michael P. (DO) (FBI) 

Sent: Wednesday, October 5, 2016 1:58 PM 

To: Stickels, Jillian B. (DO) (FBI); Cratty, Carol A. (DO) (FBI) 
Subject: RE: Trump issue 


This is the Lichtblau, Nakashima issue and it’s primarily a Cl issue, and they are aware of it. 


From: Stickels, Jillian B. (DO) (FBI) 

Sent: Wednesday, October 05, 2016 1:36 PM 

To: Kortan, Michael P. (DO) (FBI) <Michael.Kortan@ic.fbi.gov>; Cratty, Carol A. (DO) (FBI) <Carol.Cratty@ic.fbi.gov> 
Subject: RE: Trump issue 


l'Il check with Cyber on this, and perhaps NY as well. 


From: Mark.Hosenball@thomsonreuters.com [mailto: Mark.Hosenball@thomsonreuters.com | 
Sent: Wednesday, October 05, 2016 1:33 PM 

To: Kortan, Michael P. (DO) (FBI); Stickels, Jillian B. (DO) (FBI); Cratty, Carol A. (DO) (FBI) 
Subject: Trump issue 


The information below, supposedly posted by private computer experts, suggests some kind of transactions through 
a secret data channel between Alfa Bank in Russia and a supposed “hidden” Donald Trump Organization data server. 


It has been suggested to me that this information and scenario is under careful investigation by the FBI. What can you 
tell me about all of this ? Many thanks. 


Mark Hosenball 
Senior National Security Correspondent 


Reuters Washington Bureau 


202 3545821 


Global DNS Data 


This site provides neutral, factual DNS data, showing how networks communicate with each other. 


1. Lookups for maill.trump-email.com 
This data shows communications between Trump, Spectrum, and Russian Alfa Bank networks. 


2. Network Diagram Scenario 


This diagram (png file: 183769 bytes) shows how parties communicated via email using different servers. 
3. Check back for more 
4. Leave questions at: tea. leaves@tuta.io 


Summary: 


e Trump and Russia's largest private bank communicate via hidden server since at least 
2016 May 
e Confronted with questions by NYT reporter, Alfa Bank denies any relationship 
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e Hidden server belonging to Trump then disappears (no one but Alfa Bank was asked) 
e Deleted host name mail1.Trump-Email.com is replaced with trump1.contact-client.com 
e Russian Alfa Bank is the first host seen to contact the new trump1. server 
Comments: 
Trump's FEC filings fail to disclose any foreign bank account in Russia or relationship 
with the Russian Alfa Bank. 


Network logs show a distinctively human pattern of communications between a hidden 
server dedicated for use by the Trump Organization and the Russian financial company 
Alfa Bank, which has close ties to the Kremlin. Trump campaign advisors also have 
relationships with Alfa Bank and related Alfa-Group / LetterOne. 


The other frequent connection to Trump's hidden server with the same distinctive human 
pattern is Spectrum Health, a Michigan hospital with close ties to the DeVos family 
(http:/Awww.spectrumhealth.org/locations/helen-devos-childrens-hospital). The Devos 


family founded Amway / Alticor which operates in Russia including transactions with 
Alfa Bank such as buying insurance for 800 Alticor employees from Alfa Bank's 
insurance subsidiary. The Devos family has given millions of dollars in the past few 
months to conservative super PACs (www.fec.gov). One member of the Devos family 
was a founder of Blackwater. 


Trump's hidden server appears to be a specially configured outbound email server. The 
email server type normally would handle outbound bulk advertising or transactional mail 
for a large enterprise to customers, powerful enough to deliver millions of emails per day. 
( http://www.marketerspublishinggroup.com/PMTA-UsersGuide-4.0.pdf). Different in 
every way from traffic seen on adjacent servers managed by the same server company, 
this specially configured server has been exclusively corresponding with Alfa-Bank and 
Spectrum since at least May 2016 with a cadence and rate of a human conversation. See 
the graph of the connections here. 


The stealth server has had two different names: 


maill.Trump-Email.com (zone deleted on Friday, 2016-Sept-23 after the Russian Alfa- 
Bank was asked by the New York Times to explain the communications) 


and on 2016-Sept-27 a new name showed up: 
trump 1 .contact-client.com 


When a reporter from the New York Times (NYT) asked the Russian Alfa Bank for 
comment about the apparent communications, Alfa Bank denied any relationship with the 
Trump Organization. The NYT reporter communicated with no one other than the 
Russian Alfa Bank - yet the Trump-Email.com domain began showing signs of panicked 
reconfiguration within hours of the New York Times asking the Russian Alfa Bank why 
they were making connections to Trump-Email.com. While no errors were seen in all the 
months prior to this question from the reporter - suddenly errors appeared. Two of the 
authoritative name server hosts deleted the zone, while the third authoritative just erased 
the IP from the configuration line and continued to answer authoritatively. This mistake 
can still be demonstrated at the time of this writing. 
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The Trump Organization deleted the Trump-Email.com zone shortly before 10 AM 
Eastern US time on Friday Sept 23rd after the NYT reporter called Alfa Bank. This 
suggests a cover-up attempt by Trump and Alfa Bank. It suggests communication from 
Alfa Bank warning the Trump Organization to take action to remove the evidence of the 
hidden server domain, maill.Trump-Email.com. 


The physical server itself was never changed; just the hostname mail! .Trump-Email.com 
stopped pointing to that physical server and the hostname was effectively deleted from the 
global Domain Name System (DNS). 


By September 27th 2016, the Trump Organization had created a new host trump! .contact- 
client.com pointing to the exact same physical server previously operating as 
maill.Trump-Email.com. 


The Russian Alfa Bank was the first to contact the newly renamed host, strongly 
indicating again that Trump and Alfa Bank are coordinating with each other and have a 
very close relationship. After this discovery, they are likely moving conversations to a 
new channel. 


Trump has a bank account with the Russian Alfa Bank, which may explain the need for 
hidden server communications. Alfa Bank / Alfa Group / LetterOne has expressed interest 
in investing billions in US health care companies, which could include Michigan's 
Spectrum Health or could be regarding the financial relationships Amway/Alticor has 
with the Russian Alfa Bank insurance company. 


F.A.Q. 


Are you sure the Trump-Email.com domain really belongs to the Trump 
Organization? 


We have 100% confidence. You can verify the complete whois record by going to the 
Godaddy.com website and clicking on WHOIS. While whois records can be forged, we 
also judge authenticity based on the resources used by each domain name. A very detailed 
analysis has been made of thousands of Trump Organization domain names, vendors and 
hosting resources, confirming that this domain without question belongs in the same 


group. 
Excerpt from Trump-E mail.com whois record: 


Registrant Name: Trump Orgainzation 

Registrant Organization: Trump Orgainzation 

Registrant Street: 725 Fifth Avenue 

Registrant City: New York 

Registrant State/Province: New York Registrant State/Province: New York 
Registrant Postal Code: 10022 

Registrant Country: US Registrant Country: US 

Registrant Phone: +1.2128322000 
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